Test one – (testing three systems at a time – need a bigger box to handle more VM’s!)
downloading a software crack – I’m focusing on software cracks because the other typical method of infection, Porn, I choose not to spend my time looking at even for such a good cause as this.
MSSE – did not complain about the file
Norton 2010 – blocked the file – “downloader”
Avast – did not complain about the file
Fake Antivirus – Install file captured in wild
Attempt to copy onto desktop of VM –
MSSE – Detected and blocked copy
Avast – Allowed copy no problem
Avast – Since it allowed the copy I ran it. The fake A/V program downloaded the payload and installed the typical fake A/V. AVAST = OWNED.
Avast – Restore snapshot, start again.
Norton – after a long time pausing the copy it eventually stopped the copy and popped up a security alert
Next – Install LimeWire, the number one virus installation tool in the world.
Download a software crack. Both MSSE and Norton hit on the trojan, but it seems that more of the trojan got stopped on the norton system than the MSSE system, even though on the MSSE system the executable did not manifest even though it was running. The avast system (after catching up to the others) hit on the download immediately and prompted to delete or quarantine. Avast – redeeming itself.
I’ll be honest here, I *am* biased towards avast in this test, I’ve been a fan of it for a time now. I like to root for the “little guy” and see a lesser known A/V tool do well against the “big guys”. But, in the end, it is just a tool and if the “bug guys” make a better tool – I’ll use it and recommend it.
It seems that Avast might be very adept and cleaning systems but it MAY be falling behind MSSE and Norton ’10 in the fresh stuff.
More updates later.
Why do I want to do this test?
I get asked which antivirus product is better. I make recommendations. I know that antivirus and antimalware software are not perfect, but I DO know that there are some that are better than others.
I know which A/V products I see come in on machines that are infected and I know which A/V A/M products I use to clean up after those inferior A/V products. So, this is something for me to do in order to SEE the A/V products in action.
Using Virtual Box (latest version December 2009)
Using a legit activated and WGA approved copy of XP Pro. Service Pack 3. All the updates. IE-6. Not using IE7 or IE8 or firefox because I want to test the security software, not the browser.
Make multiple clones of the clean and updated VM.
The antivirus products we will be testing first –
One with Nothing
These are the products I want to test because they are the ones I am most curious about right now. All antivirus products will be installed and updated.
Then, we go to the internet and attempt to infect each virtual machine with the same viruses. We will basically see what happens and then document the results.
The idea is to have all test criteria the same except for the security product.
Like I said above, this is a test to see which security product I can honestly tell people is “better”.
And, with the power of these VM’s I can possibly continue to do this test again and again and see how the landscape is evolving.
After discovering the joy of Sun’s Virtualbox, I am embarking on a test today if time allows. I will create a virtual armada of identical virtual XP boxes and install them with different malware/antivirus programs installed. I then will purposely expose the little buggers to all sorts of internet nastiness and see how well the top players do.
I don’t know whether or not I’m doing anything new or not, but the malware scene changes daily and this test is for ME to know.